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ABSTRACT 

We present a quantum digital signature scheme whose secu- 
rity is based on fundamental principles of quantum physics. 
It allows a sender (Alice) to sign a message in such a way 
that the signature can be validated by a number of different 
people, and all will agree either that the message came from 
Alice or that it has been tampered with. To accomplish this 
task, each recipient of the message must have a copy of Al- 
ice's "public key," which is a set of quantum states whose 
exact identity is known only to Alice. Quantum public keys 
are more difficult to deal with than classical public keys: for 
instance, only a limited number of copies can be in circula- 
tion, or the scheme becomes insecure. However, in exchange 
for this price, we achieve unconditionally secure digital sig- 
natures. Sending an m-bit message uses up 0(m) quantum 
bits for each recipient of the public key. We briefly discuss 
how to securely distribute quantum public keys, and show 
the signature scheme is absolutely secure using one method 
of key distribution. The protocol provides a model for im- 
porting the ideas of classical public key cryptography into 
the quantum world. 

1. INTRODUCTION 

The physics of quantum systems opens a door to tremen- 
dously intriguing possibilities for cryptography, the art and 
science of communicating in the presence of adversaries @, 
hi fl 0i H> One major goal of classical cryptography 
is to certify the origin of a message. Much like a handwrit- 
ten signature on a paper document, a digital signature\ 2^, 
authenticates an electronic document and ensures that 
it has not been tampered with. The importance of digital 
signatures to modern electronic commerce has become such 
that Rivest has written "[they] may prove to be one of the 
most fundamental and useful inventions of modern cryptog- 
raphy." |^2| This is especially true of schemes where the sig- 
nature can be recognized using a widely available reference. 
The security of all such public key digital signature schemes 
presently depends on the inability of a forger to solve cer- 
tain difficult mathematical problems, such as factoring large 



numbers [|23|. Unfortunately, with a quantum computer fac- 
toring becomes tractable [E5|, thus allowing signatures to be 
forged. 

We present a quantum digital signature scheme which is 
absolutely secure, even against powerful quantum cheating 
strategies. It allows a sender (Alice) to sign a message so 
that the signature can be validated by one or more differ- 
ent people, and all will agree either that the message came 
from Alice or that it has been tampered with. The scheme 
described here is somewhat cumbersome, but the underly- 
ing principles suggest novel research directions for the field 
of quantum cryptography. While quantum public keys are 
more limited than classical public keys, they remain more 
powerful than private keys, and the existence of an uncon- 
ditionally secure quantum digital signature scheme suggests 
an as- yet unrealized potential for quantum public key cryp- 
tography. 

Classical digital signature schemes can be created out of 
any one-way function|Q. f(x) is a one-way function if it is 
easy to compute f(x) given x, but computing x given f(x) 
is very difficult. This allows the following digital signature 
scheme [la: Alice chooses fco and ki, and publicly announces 
/, (0, f(k~o)) and (1, f(ki)). Later, to sign a single bit b, Alice 
presents (b, kb). The recipient can easily compute ,f(kb) and 
check that it agrees with Alice's earlier announcement, and 
since fco and fei were known only to Alice, this certifies that 
she must have sent the message. The public keys can only 
be used once, unlike more sophisticated digital signature 
schemes, but this simple protocol serves as a good model 
for a quantum scheme. While there are many candidate 
one-way functions, none have been proven to be secure, and 
some, such as multiplying together two primes (the inverse 
being factoring the product), become insecure on a quantum 
computer. This deficiency leaves a substantial gap in the 
cryptographic landscape. 

2. MAIN RESULT 

We describe a digital signature scheme based on a quantum 
analogue of a one-way function which, unlike any classical 
function, is provably secure from an information-theoretic 
standpoint, no matter how advanced the enemy's computers. 
Our goal is to reproduce the primary advantages of classical 
public key cryptography in a quantum setting. These are 
twofold: First, a public key can be safely given to an oppo- 
nent without endangering the security of the protocol. This 
reduces the security requirements involved in key distribu- 



tion. Second, every recipient has the same public key, which 
simplifies key distribution further; someone who is unsure 
whether he has received a correct public key can compare 
with one from a different source or with a friend's copy of 
the key. Our protocol should not be regarded as the culmi- 
nation of this line of research, but as proof of the principle 
that quantum protocols can have these properties. 

The key idea we introduce is a one-way function whose in- 
put is a classical bit-string fc, and whose output is a quan- 
tum state \ fk) (versus, for instance, a function which maps 
quantum states to quantum states). Like the above classi- 
cal scheme, we will require 0(m) quantum bits (qubits) to 
sign a m-bit message. It is not sufficient, however, to simply 
plug in | ffc) in place of f(k). First, due to the no-cloning 
theorempcj], there can be no perfect equality test for quan- 
tum states. Also, as we show below, the nature of quantum 
states provides Alice with non-classical cheating strategies. 
And unlike classical schemes, only a limited number of copies 
of the public key can be issued, or the scheme becomes in- 
secure. Despite these difficulties, the protocol we present, 
when used correctly, allows the probability of any security 
failure to be made exponentially small with only polynomial 
expenditure of resources. We begin by defining quantum 
one-way functions and discussing their properties. We then 
present our signature protocol and prove its security; this 
proof appears in two parts, separated by a discussion of key 
distribution. We conclude with some generalizations of and 
limitations to our protocol. 

3. QUANTUM ONE-WAY FUNCTIONS 

Ever since the invention of secure quantum key distribu- 
tion JEj, many attempts have been made to exploit the unique 
properties of quantum systems to provide new cryptographic 
primitives. A great surprise was the failure of quantum bit 
commitment jl9|, subsequently, less powerful but still in- 
teresting primitives such as quantum bit escrowjl) were in- 
troduced. Looking beyond cryptography, many more new 
quantum protocols have been discovered, such as quantum 
random access codes Q and quantum fingerprints Jlo| . 

Here, we introduce a limited-utility quantum one-way func- 
tion, based on two properties of quantum systems^] which 
are also essential for quantum fingerprinting. First, quan- 
tum bits, unlike their classical counterparts, can exist in a 
superposition of and 1. The general state of a single qubit 
is written as a two-component vector — ceo\0) +ai|l) = 
(aoQi), where |0) and |1) form an orthonormal basis for 
the vector space, and Qo, oti are complex numbers satisfy- 
ing cto | 2 + |o?i| 2 = 1. Because of this continuous degree of 
freedom, distances between two qubit states \tp) and |i/>'} 
naturally take on non-integer values (less than the max- 
imum, 1), defined as y/1 — \{ip\ip')\ 2 , where {4>\i > '} is the 
inner product between the two vectors. This becomes par- 
ticularly interesting when considering the general state of 

n qubits, \tp n ) = X!j=o 1 a o\j)> wnere the number of coeffi- 
cients is exponentially larger than the number of qubits. It 
follows from simple volumetric arguments that sets of states 
{\ipk)} exist satisfying \{i>l\i>y)\ < 6 for k / k' where the 
set may have many more than 2 n states if S < 1, meaning 
the states are not maximally distant from each other. In 
fact, as Buhrman, Cleve, Watrous, and de Wolf showed [JL 0[ , 



for 5 sa 0.9, one may have a set of size 2 ^ '. 

We shall make use of this property by taking all classical bit 
strings k of length L, and assigning to each one a quantum 
state |/fc) of n qubits. These states are nearly orthogonal: 
\{fk\fk') \ < 5 for fc 7^ k' , allowing L to be much larger than 
n. As mentioned above, for the quantum fingerprint states, 
L = 0(2") with S « 0.9. Another family is provided by 
the set of stabilizer states^], with L — n 2 /2 + o(n 2 ), and 
S = l/v2- Both these sets are easy to create with any 
standard set of universal quantum gates. A third family of 
interest uses just n = 1 qubit per state, and consists of the 
states cos(i#)|0) + sin(j(9)j 1), for 6 = it/2 L , and integer j. 
This family works for any value of L, and gives 5 — cos 9. 

The second property we exploit is that although the map- 
ping k i— > \fk) is easy to compute and verify, it is impossible 
to invert (without knowing k) by virtue of a fundamental 
theorem of quantum information theory. Holevo's theorem 
limits the amount of classical information that can be ex- 
tracted from a quantum state Jl^, pq ]; in particular, mea- 
surements on n qubits can give at most n classical bits of 
information. Thus, given T copies of the state \fk), we can 
learn at most Tn bits of information about k, and when 
L — Tn 2> 1, our chance of successfully guessing the string 
k remains small. This means that k i— > \fk) acts as a sort 
of quantum one-way function, with a classical input and a 
quantum output. 

Certain important properties of classical functions are taken 
for granted which are no longer so straightforward quantum- 
mechanically. Given two outputs \fk) and \fk'), how can we 
be sure that k — fc'? This is done using a simple quantum 
circuit |10| , which we shall call the swap test. Take the states 
\fk) andf/fc/}, and prepare a single ancilla qubit in the state 
(|0) + |l))/v2- Next, perform a Fredkin gate (controlled- 
swap) with the ancilla qubit as control and \fy) an d |/fc) 
as targets. Then perform a Hadamard gate on the ancilla 
qubit and measure it. If the result is |0), then the swap test 
is passed; this always happens if \fk') = \fk)- Otherwise, if 
K/fc'l/fc)l — ^> the result |0) occurs with probability at most 
(l+5 2 )/2. If the result is |1), then the test fails; this happens 
only when fc 7^ fc' and occurs with probability (1 — <5 2 )/2. 
Clearly the swap test works equally well even if the states are 
not outputs of the function / — if the states are the same, 
they always pass the swap test, while if they are different, 
they sometimes fail. The point is that an equality test exists, 
but fails with nonzero probability. 

Another important property is the ability to verify the out- 
put of the function: given fc, how do we check that a state 
= l/fc)? This is straightforward: since the function 
jfc)j0) 1 — > |fc)|/fc) is easy to compute (here, |0) denotes an 
n qubit state), simply perform the inverse operation, and 
measure the second register. If \ip) 7^ \fk), the measurement 
result will be nonzero with probability 1 - \{ip\fk)\ 2 - Thus, 
verification is also possible, but again it is probabilistic. 

A naive quantum signature protocol. What happens 
if we simply drop in our quantum one-way function in place 
of the classical one in Lamport's signature schemejli) (de- 
scribed above)? The protocol parameters L and n are fixed, 
and a map fc 1— > \fk) is chosen by all parties. Alice gener- 



ates ko and k\ as her private keys, and publicly announces 
(0, \ fk )) and (1, 1/%)) as her public keys. As in Lamport's 
scheme, she then signs a bit b by presenting (b, fcj,). Ideally, 
the recipient, Bob, would then want to test Alice's quantum 
public key for validity. He can do this using the verification 
test, to see if \kb)\ff b ) maps back to |fct)|0). Furthermore, 
once Bob is satisfied with the validity of Alice's message, he 
would like to be able to pass it on to Judge Charlie, knowing 
that Charlie will also find the message valid. Unfortunately, 
Bob's test sometimes fails; furthermore, it irreversibly con- 
sumes one of Alice's public keys! 

Other potential problems arise as well. For instance, un- 
like the output of a perfect classical one-way function, from 
which someone with limited computational ability can learn 
nothing at all about the input, always leaks a limited 
amount of information about k, the input to the quantum 
one-way function. Furthermore, quantum cheating strate- 
gies become available; for example Alice may want to make 
Bob and Charlie disagree on the validity of her message. 
How can we be sure that all of the copies of the public keys 
she hands out are identical? Along the same lines, Alice 
is free to prepare an entangled initial state, with which she 
can delay choosing k until after she has given 1/^} away. 
Her ability to do this spells the doom of any attempt to use 

§antum one-way functions to perform bit commitment 
, which is one application of classical one-way functions. 
But only Alice has the ability to change the state, and it 
will not help her in this instance. This saving grace enables 
us to use quantum one-way functions to perform digital sig- 
natures. Most of the new difficulties introduced by quan- 
tum states can be dealt with by using many public keys per 
message bit instead of just one. In the remainder of the 
paper, we discuss the details of this modification, and more 
importantly address the issue of Alice's quantum cheating 
strategies. 

4. QUANTUM SIGNATURE PROTOCOL 

We now present the signature protocol, beginning first with 
a definition of what such a protocol should accomplish and 
how its security is evaluated; following this we present the 
quantum protocol in detail. 

Definition. We adopt essentially the usual definition of a 
one-use digital signature; that is, Alice has a set of private 
keys and all recipients have copies of the corresponding pub- 
lic keys. Given a message b, Alice can then produce a single 
signed message (b,s(b)). Conversely, given any message, sig- 
nature pair (b' , s') any recipient can process the pair to reach 
one of three possible conclusions: 

1-ACC: Message is valid, can be transferred 
0-ACC: Message is valid, might not be transferable 
RE J: Message is invalid 

The first two results imply that Alice sent the message b' . 
They differ in that result 1-ACC means the recipient is sure 
any other recipient will also conclude the message is valid 
(thus the message is "transferable"), whereas result 0-ACC 
allows the possibility that a second recipient might conclude 
the message is invalid (the number "1" or "0" refers to the 



minimum number of people who agree with the conclusion 
that the message is valid) . Result RE J implies the recipient 
cannot safely reach any conclusion about the authenticity of 
the message. We require that any recipient who receives a 
correct message, signature pair (b,s(b)) always reaches con- 
clusion 1-ACC. 

Security criteria. The protocol should satisfy two se- 
curity criteria. First, it should be secure against forging, 
which means that, even given access to a valid signed mes- 
sage (b,s(b)) and all available copies of the public keys, no 
forger has an appreciable chance of creating a message, sig- 
nature pair (6', s') (with b' ^ b) such that an honest recip- 
ient will accept it (conclusions 1-ACC or 0-ACC) except 
with exponentially small probability. Second, the scheme 
should be secure against Alice's attempts to repudiate the 
message. That is, for any pair of recipients, with high prob- 
ability, if the first recipient reaches conclusion 1-ACC (the 
message is valid and transferable) , then the second recipient 
also reaches conclusion 1-ACC or 0-ACC (the message is 
valid) . 

Our definition differs from the most common classical defi- 
nitions in only three respects: First, the possibility of result 
0-ACC is not available in most classical signature schemes 
(although some allow it). Second, we only require that the 
security criteria hold with high probability (again true of 
some classical schemes) . Third, and most notably, the public 
keys in our scheme are quantum states rather than classical 
strings. 

This protocol is applicable to a variety of cryptographic 
problems. For instance, Alice may wish to sign a contract 
with Bob such that Bob can prove to Judge Charlie that 
the contract is valid. In this case, Bob should accept the 
contract whenever he gets result 1-ACC for a message, 
and Charlie should accept unless he gets result RE J. This 
problem can also be solved by a variety of classical pro- 
tocols, of course. However, most only offer security against 
computationally-bounded attacks. Others offer information- 
theoretic security, but require additional resources during 
the key distribution phase (see section |^), such as a secure 
anonymous broadcast channel Jll| or a noisy channel Jl^, [l2| , 
which are difficult to justify as physical resources. In addi- 
tion, the classical information-theoretic protocols use dis- 
tinct private keys and require substantial interaction among 
the participants during the key distribution phase, whereas 
the quantum protocol we present below requires only a phys- 
ically plausible quantum channel and modest interactivity 
quite similar to that required by classical public key distri- 
bution. 

Quantum signature protocol specification. As the pri- 
vate keys for our protocol, Alice chooses a number of pairs 
of L-bit strings {k l ,ki}, 1 < i < M. The fc 's will later be 
used to sign a message 6 = 0, and the fei's will be used to 
sign 6 = 1. Note kg and k\ are chosen independently and 
randomly for each i, and M keys are used to sign each bit. 
M is the security parameter; the protocol is exponentially 
secure in M when the other parameters are fixed. The states 
{\f k i ), |/ fe i )} (for each i) will then be Alice's public keys for 
an appropriate quantum one-way function /. The public 
keys are "public," in the sense that no particular security 



measures are necessary in distributing them: if a number 
of copies fall into the hands of potential forgers, the pro- 
tocol remains secure. Note that the creation of these keys 
is up to Alice (or someone she trusts), because unknown 
quantum states cannot be perfectly copied, according to the 
no-cloning theorem^]. We begin by making the simplify- 
ing assumption that all recipients have received correct and 
identical copies of Alice's public keys; we will revisit this 
assumption later in the paper. 

All participants in the protocol will know how to imple- 
ment the map k t— > |/fc). All participants will also know two 
numbers, ci and C2, thresholds for acceptance and rejection 
used in the protocol. A bound on the allowed value of C2 
will be given as part of the proof of security, below. c\ can 
be zero in the absence of noise; the gap C2 — ci limits Alice's 
chance of cheating. We assume perfect devices and channels 
throughout this paper, but our protocol still works in the 
presence of weak noise by letting c\ be greater than zero, 
and with other minor adjustments. We further require that 
Alice limits distribution of the public keys so that T < L/n 
copies of each key are available (recall that is an n qubit 
state) . 

Alice can now send a single-bit message b using the following 
procedure: 

1. Alice sends the signed message (b, fcjj, k%, . . . , k^ 1 ) over 
an insecure classical channel. Thus, Alice reveals the 
identity of half of her public keys. 

2. Each recipient of the signed message checks each of the 
revealed public keys to verify that k\ i— » |/ fc »). Recip- 
ient j counts the number of incorrect keys; let this be 
s j- 

3. Recipient j accepts the message as valid and transfer- 
able (result 1-ACC) if Sj < c\M, and rejects it as 
invalid (result REJ) if Sj > c 2 M . If ciM < s 3 < 
C2M, recipient j concludes the message is valid but 
not necessarily transferable to other recipients (result 
O-ACC). 

4. Discard all used and unused keys. 

When Sj is large, the message has been heavily tampered 
with, and may be invalid. When it is small, the message 
cannot have been changed very much from what Alice sent. 
Sj is similar for all recipients, but need not be identical. As 
we shall see below, the thresholds c\ and C2 separate values 
of Sj into different domains of security. Forgery is prevented 
by C2, and cheating by Alice is prevented by a gap between 
C2 and ci . 

5. PROOF OF SECURITY I: FORGERY 

We need to prove the security of this scheme against two sce- 
narios of cheaters. In the first scenario, only Alice is dishon- 
est; her goal is to get recipients to disagree about whether 
a message is valid or not (i.e., she wishes to "repudiate" it). 
We will show that if one recipient unconditionally accepts 
(sj < CiM), then it is very unlikely that another will uncon- 
ditionally reject (sy > c%M). However, we delay this proof 
until after discussing distribution of the public keys. 



The second scenario is the standard forging scenario. In this 
case, Alice and at least one recipient Bob are honest. Other 
recipients or some third party are dishonest, and they wish 
to convince Bob that a message b' 7^ b is valid. Naturally, 
the forgers can always prevent any message from being re- 
ceived, or cause Bob to reject a valid message, but we do 
not consider this to be a success for the cheaters. 

The security proof for this scenario is straightforward. In the 
worst case, the forger Eve has access to all T copies of each 
public key. By Holevo's theorem, Eve can acquire at most 
Tn bits of information about each bit string fcj. When Alice 
sends the signed message, Eve may attempt to substitute a 
different b' 7^ b and (possibly) different values of the ky to 
go with it. However, since she lacks at least L—Tn bits of in- 
formation about any public key which Alice hasn't revealed, 
she will only guess correctly on about G = 2" (i ~ Tn) (2M) 
keys. Furthermore, if she wishes to change a key whose iden- 
tity she did not guess correctly, she has only probability 8 2 
of successfully revealing the key. Each recipient measures 
M keys, so when b 7^ b' , each recipient will find (with high 
probability) that at least (1 - 5 2 )(M - G) - 0(VM) public 
keys fail. We will pick c 2 so that (1 - S 2 )(M - G) > c 2 M, 
which means each recipient either receives the correct mes- 
sage, or rejects the message with high probability. 

6. KEY DISTRIBUTION 

For the first scenario, where Alice is dishonest, we will sim- 
plify to the case where there are only two recipients, Bob and 
Charlie. However, before tackling the proof, we must return 
to the issue of key distribution. Here, Alice wishes Bob (for 
instance) to accept the message and Charlie to reject it. 
Certainly, if Alice can give completely different public keys 
to Bob and Charlie, she can easily repudiate her messages; 
therefore, any signature scheme, classical or quantum, must 
be accompanied by a key distribution scheme to eliminate 
this possibility. 

Classically, a straightforward assumption is that public keys 
are broadcast to all recipients; however, in practice this is 
seldom the case (the internet, for instance, is normally used 
as a point-to-point network), and creating a cryptograph- 
ically secure broadcast channel is a highly nontrivial task. 
In the quantum case, we do not even have the possibility 
of a broadcast channel, so we must resort to other means. 
One straightforward solution is to assume the existence of 
a trusted key distribution center, which has authenticated 
linksg to all three participants. Alice sends her public keys 
to the key distribution center, which performs swap tests 
between corresponding pairs of public keys. If any pair of 
public keys fails the swap test, the center concludes Alice is 
cheating; otherwise it forwards a copy of each public key to 
each recipient. 

Alice can prepare any state she wishes for the public keys, 
including entangled states and states outside the family \fk)- 
For instance, she can prepare a symmetric state, such as 
\^>)b\4>)c + \^>)b\4>}o- Because this state is invariant under 
swaps, it always passes all tests, so that the key distribution 
center concludes that Bob and Charlie will have the same 
key. But that is an illusion — clever trickery by Alice who 
can nevertheless arrange that Bob and Charlie disagree on 
the validity of the corresponding private key k l b . However, 



Alice cannot control which of them receives the valid key; it 
goes randomly to Bob or Charlie. Thus, since M is large, 
the difference \sb — $c\ is 0{y~M) with high probability, 
which makes it very unlikely that Bob and Charlie will get 
definitive but differing results. That is, when one of them 
(say, Bob) accepts a message (1-ACC), that is sb < CiM, 
Charlie almost never rejects it (REJ), which would happen 
if sc > C2M . The gap between c\M and C2M protects them 
against Alice's machinations. 

Of course, assuming a universally trusted third (or in this 
case, fourth) party always simplifies cryptographic proto- 
cols, so for the full proof, we wish to consider a more sophis- 
ticated scenario. In this case, we assume that Bob and Char- 
lie have each received their public keys directly from Alice, 
perhaps in person, perhaps via a private key authenticated 
channel. Then to test their keys classically, Bob and Char- 
lie would announce and compare them. For our quantum 
protocol, they can instead perform the following distributed 
swap test: Each of Bob and Charlie receives from Alice two 
copies of each public key (so there are a total of T = 4 
copies of each public key in circulation). For each value of 
i and b, the recipients verify that they all received the same 
public key \f k i)- To do so, each recipient first performs a 
swap test between their two keys, then passes one copy to 
a single recipient (Bob, for instance). Bob then checks that 
these two test keys pass the swap test as well. If any keys 
fail either test, the protocol is aborted. Otherwise, discard 
the test keys. The remaining "kept" keys are used to verify 
messages in the main protocol. 

A dishonest recipient can always cause the key distribution 
phase to abort, but nothing more. He could also allow a 
dishonest Alice to incorrectly pass the test, but the notion 
of a digital signature is only meaningful when at least two 
participants are honest. When Alice is honest, no cheater 
has an opportunity to alter someone else's public key, so the 
scheme remains secure against forgery. 

We wish to emphasize that the above suggestions for key 
distribution are by no means the only possibilities. The dis- 
tributed swap test can easily be generalized to the case of 
multiple recipients (see Section 0), for instance, and many 
classical methods of key distribution can be adapted for the 
quantum case to allow a variety of security assumptions. 
Ideally, it would be possible to state a simple security cri- 
terion that would evaluate whether a given method of key 
distribution is successful or not without reference to the par- 
ticular quantum public key protocol for which the keys are 
intended, but we do not attempt to formulate such a defini- 
tion. 

7. PROOF OF SECURITY II: REPUDIATION 
AND TRANSFERABILITY 

We now return to the security of our digital signature pro- 
tocol, and show that it prevents Alice from cheating (repu- 
diating a message she has signed). Whatever the method 
of key distribution, some form of swap test is likely to be 
present, so we assume the use of a distributed swap test. 
Our goal is to compute the probability p c heat that Alice can 
pass all the swap tests but achieve \sb — sc\ > ic-i — ci)M, 
meaning that Bob and Charlie disagree about the validity 



of the message. We do this by studying a global pure state 
|*), which describes all of the public keys as well as any 
state that Alice may have which is entangled with the keys. 
Any state which passes the initial swap tests will be sym- 
metric between the test keys and the kept keys; in fact, it 
is symmetric between any individual test key and the cor- 
responding kept key. Therefore, we can safely assume Alice 
prepares |$) with this property. From now on, when we 
speak of the swap test, we only refer to the second swap test 
between the two test keys. 

Now, for each set of four keys (two test and two kept), the 
most general state is a superposition of two types of terms. 
A type-1 term may pass the swap test, but leaves Bob and 
Charlie in agreement, on average, about the validity of the 
keys, while a type-2 term frequently fails the swap test. To 
perform the decomposition, we expand the kept keys and the 
test keys each in the basis |/)|/), |/i>|/x>, |+ a ), and |- a ), 
where the first ket is Bob's, the second is Charlie's, |/) = 
\f k i) for the current value of 6 and i, the states \f±) form an 

orthonormal basis with |/>, and |± Q ) = |/)|/x) ± |/l}|/>- 
Thus, a dishonest Alice might, for instance, prepare the state 
W = |/>K|/>K|+ a >T+ \+ a )n\f) T \f)T, where the subscript 
K indicates kept keys and T indicates test keys. A type-1 
term is any term for which both the kept and test keys are 
in a state |/)|/>, 1/1)1/"'), or |+ Q ). Note that a sum of 
type-1 terms (such as above) may always pass the swap 
test, but also has equal amplitudes for Bob and Charlie to 
pass key verification. A type-2 term is any term includ- 
ing a | — a ) state for the kept keys, the test keys, or both. 
For the type-2 terms, we explicitly note the symmetry be- 
tween the kept and test keys, meaning the superposition 
(|+ a >A-|- a '>T + \- a ) K \+ a ')T)/V2 is the only way |- a ) |+ a ') 
can appear. In particular, any sum of type-2 terms respect- 
ing this symmetry must have at least a 50% chance of failing 
the swap test. On the other hand, some superpositions of 
type-2 terms can give different chances for Bob and Char- 
lie to pass key verification. Also note that the subspace of 
type-1 terms is orthogonal to the subspace of type-2 terms. 

Expanding every set of keys in \ty) in this way gives a global 
state which we can again divide up into two terms: |^i) + 
1^2)- Every summand in |$r) contains at most r type-2 
tensor factors, where r = cM for some constant c > 0; the 
rest are type-1 terms. ^2) consists of terms with more than 
r type-2 tensor factors. 

We wish to show first that for the state |*l/i), \sb ~ sc\ 
will be small. If there were only a single summand in |^i), 
this would clearly be true, since each type-1 factor has an 
equal probability of contributing to sb and to sc, and there 
are only a few type-2 terms. However, different summands 
of |\&i) with different patterns of type-1 and type-2 states 
might interfere quantum-mechanically. To show js_g — sc\ 
is small even in this case, it will be sufficient to look just 
at the kept keys, and furthermore only at the states |+ a ) 
and |— a ) — the states |/)|/) and \f±)\f1_ ) always produce 
exactly the same contribution to sb and to sc, and cannot 
interfere with each other. In fact, +") and | — " ) cannot 
interfere when a / a', so we can restrict attention to just 
two states |+) and |— ). On the other hand, the combination 
0) — (1+) + l — ))/v / 2 will always cause Bob's key to pass 



and Charlie's to fail, whereas |1) — (|+) — |— ))/v / 2 gives the 
opposite result. 

This allows us to simplify the problem. We can invoke 
the lemma from Appendix [X] to show that, for large M 
and sufficiently small c, the probability that \sb — sa\ < 
(c2 — ci)M for l^i) is exponentially small in M; less than 
2 -[i-H((i-c 3 +ci)/2)-K( c )]Af ) in fact) a i thougll this is not at 

all a tight bound. 

For ^2), we wish to show that the probability of passing 
the swap test is very small. To see this, it will suffice to 
consider a modified swap test which passes any state of the 
test keys except — a ); certainly the probability of passing 
this test can be no smaller than the probability of passing 
the original swap test. Since each type-2 term by itself has 
at least a 1/2 chance of failing the modified swap test, a 
tensor product of r or more of them passes with probability 
no larger than 2~ r . There can be no interference between 
different positions for the type-2 terms, since the modified 
swap test is compatible with the projection onto type-1 and 
type-2 terms. Therefore, the probability of ^2) passing the 
swap test (original or modified) is at most 2~ r = 2~ cAI . 
Since c > 0, this is exponentially small in M. 

Now we can put this together to obtain a bound on p c heat, 
which is the probability that the state both passes the swap 
test and produces \sb — scj > (C2 — ci)M. The Y&i) term 
might have a good chance of passing all swap tests, but yields 
an exponentially small chance of giving the required sepa- 
ration between sb and sc- The ^2) term might have O(l) 
probability of having \sb — sc\ > (02 — c\)M, but only has an 
0(2~ r ) chance of passing all swap tests. The best case for 
constructive interference between the two terms gives a total 
probability p c hcat at most twice the sum of the two proba- 
bilities for I^Pi) and | VE' 2 } , which is still exponentially small 
in M. Therefore, Alice has p c hcat ~ 0{d~ M ) probability of 
successfully cheating for some d > 1. 

8. GENERALIZATIONS AND EXTENSIONS 

One straightforward generalization is to use the distributed 
swap test with many recipients. To do this, we can re- 
place the swap test with a test for complete symmetry of 
s states pX| . Instead of preparing an ancilla in the state 
(|0) + |1}J7V2, we prepare a superposition over states in- 
dexed by all permutations of s elements. Then perform the 
permutation a conditioned on the ancilla being in the state 
\a), and finally measure the ancilla to see if it remains in 
the original superposition. If the state of keys being tested 
is completely symmetric, it always will pass, otherwise it has 
some chance to fail. Furthermore, note that, for any state 
of the keys, the probability that any particular pair of keys 
out of the s keys being tested will fail a regular swap test is 
no larger than the chance that the full set of keys fails the 
symmetry test, so for any pair of keys, the symmetry test is 
at least as sensitive as the swap test. 

The distributed symmetry test then allows public key distri- 
bution for t > 2 recipients. Each person receives t + 1 copies 
of each public key (so there are T = t(t + 1) copies in cir- 
culation) and tests them for complete symmetry. Assuming 
they pass, each recipient keeps one copy of each key to verify 
a signature, sends one copy to each of the other recipients to 



perform a second symmetry test, and keeps the last copy for 
his own symmetry test. Each recipient now has t test keys, 
and performs a symmetry test on those keys. He rejects the 
set of keys if it fails either of the symmetry tests he per- 
formed. If we restrict attention to any particular pair of re- 
cipients, this procedure essentially reduces to the distributed 
swap test again, so the proof of the previous section tells us 
that for any two recipients i and j, the probability that the 
keys pass the symmetry test but \si — Sj\ > (c.2 — ci)M is 
exponentially small in M. This shows the signature proto- 
col remains secure with the distributed symmetry test and 
many recipients. 

We can also create additional thresholds to allow more than 
one transfer. That is, = Co < ci < . . . < c q < 1, and if 
c r _i < Si < c r , for r < q, then recipient j will (q — r)-accept 
the message. When a recipient s-accepts the message (result 
s-ACC), he is convinced the message is valid (it originated 
with Alice), and that any other recipient will at least (s — 
l)-accept the same message. A recipient who 0-accepts a 
message is convinced it is valid, but is not sure someone 
else will agree with him (result 0-ACC). In other words, 
s-acceptance means the recipient is sure he can convince s 
other people of the message's validity sequentially, even if 
each wants to be sure later people accept it as well. The 
security of s-acceptance follows immediately from the proof 
of security in the last section, simply substituting c r — c r _i 
for C2 — ci . 

Another useful extension is the ability to expand the original 
symmetry test to additional groups of keys. Assume we have 
a single recipient Bob who communicates with two separate 
sets of recipients; we will assume Bob is not allied with the 
sender Alice. Suppose Bob receives s + 1 keys originally, 
and performs a test on them for complete symmetry. Then 
he keeps one key for verifying a signature, and uses some 
(but not all) of the s test keys to perform a distributed 
symmetry test with a group Ri of recipients. The extra test 
keys certainly do not affect the security of the distributed 
symmetry test. Suppose Bob uses the remaining test keys 
to perform a distributed symmetry test with a second group 
of recipients R2, possibly at a much later time. Then if 
Charlie is in Ri and Diane is in R2 , we know that (with high 
probability) either the keys fail a test, or that \sb — sc\ < 
AM and that \sb — sd\ < AAf for some A, in which case 
it is also true that \sc — sd\ < 2AM. In other words, even 
though Charlie and Diane have not interacted directly, the 
gap between sc and sd is still bounded, but by twice the 
margin between two recipients in the same group. 

While we have described a procedure for signing single-bit 
messages, multi-bit messages can be sent by repeating the 
process, using M pairs of public keys for each message bit. 
However, a much more efficient procedure is to first encode 
the message in a classical error-correcting code with dis- 
tance M, and to use a single pair of public keys for each 
encoded bit. The single-bit protocol can be viewed as a spe- 
cial case of this using a repetition code. Valid messages are 
codewords of the error-correcting code; to change from one 
valid message to another requires altering M bits. There- 
fore, the above security proofs hold with only two changes: 
G, the number of keys successfully guessed by Eve, is now 
2- (L - Tn) (2N), where N is the length of the full encoded 



message. In addition, if Alice attempts to cheat, she can 
produce a difference \sb — so\ proportional to N, not M, 
using type-1 terms. We should thus have M scale linearly 
with N when the latter is very large. 

9. CONCLUSIONS 

The digital signature scheme provided here has many poten- 
tial applications. It combines unconditional security with 
the flexibility of a public key system. An exchange of dig- 
ital signature public keys is sufficient to provide authenti- 
cation information for a quantum key distribution session. 
Quantum digital signatures could be used to sign contracts 
or other legal documents. In addition, digital signatures 
are useful components of other more complex cryptographic 
procedures. 

One particularly interesting application is to create a kind 
of quantum public key cryptography. If Bob has Alice's 
public key, but Alice has nothing from Bob, then Bob can 
initiate a quantum key distribution session with Alice. Bob 
will be sure that he is really talking to Alice, even though 
Alice has no way to be sure that Bob is who he says he is. 
Therefore, the key generated this way can be safely used to 
send messages from Bob to Alice, but not vice-versa. 

However, quantum public keys have a number of disadvan- 
tages. It is not possible to sign a general unknown quantum 
state, even with computational security this is unfortu- 
nate, since a common classical method for distributing pub- 
lic keys is to have a trusted "Certificate Authority" (whose 
public key is already well-known) sign them for later trans- 
missions. However, perhaps this can be circumvented: the 
quantum public keys of our protocol are known quantum 
states, so perhaps there is some way to securely sign them 
for distribution at a later time. 

Note that in a purely classical scheme, the public key can be 
given out indiscriminately. This cannot be true of a quan- 
tum scheme: when there are very many copies of a public 
key, sufficiently careful measurements can completely deter- 
mine its state, and therefore one may as well treat the public 
key as classical. In that case, security must be dependent 
on computational or similar assumptions. Thus, any quan- 
tum digital signature scheme will necessarily require limited 
circulation of the public key. This is primarily a question of 
efficiency, since sufficiently large L allows many keys to be 
issued. 

So how do the required resources scale with the number of 
recipients? There are three resources that one might con- 
sider: the size of each public key, the size of a single signed 
message, and size of the private key. In our case, a single 
public key need only scale as the logarithm of the number 
of receivers. This is good, since the public keys are made of 
qubits, which may be the most expensive component. How- 
ever, the length L of the private key must be at least equal 
to T, the total number of public keys in circulation, which 
must be linear or quadratic in the number of recipients. It 
remains possible that an improved proof or protocol could 
reduce the required L substantially, although we are not op- 
timistic on this point. However, this is not too serious, since 
the classical memory used to store the private key is already 
quite cheap. A more serious flaw in our current protocol 



is the requirement that the length of a signed message also 
scale linearly with L. There does not seem to be a funda- 
mental requirement for this, luckily, so it seems plausible 
that an improved protocol is possible for which the length 
of messages scales at most logarithmically with T. 

Scaling of resources with other variables can probably be im- 
proved as well. Earlier, we showed how to reduce the amount 
of key required to send long messages; perhaps further im- 
provement is possible. Classical private-key authentication 
allows the expenditure of only a logarithmic amount of key 
in the length of the message; it is reasonable to speculate 
that similar efficiency could be achieved here. Efficiently 
signing known quantum states would allow this, for instance, 
since then we could sign a quantum fingerprint [^| of the 
message. 

Since our scheme requires a new set of keys for each mes- 
sage, the total amount of key consumed also scales linearly 
with the number of messages sent. It would be preferable to 
reduce this to the levels allowed by classical protocols: the 
log of the number of messages, or even constant (although 
it seems unlikely that is possible). Either would imply sub- 
stantial reuse of public keys. Designing such a protocol will 
be a difficult task, however, since usual classical techniques 
for reusing signature keys cannot be applied to quantum 
public keys. 

In summary, we have demonstrated the existence of an un- 
conditionally secure public key digital signature scheme, some- 
thing which is not possible classically. Many potential im- 
provements remain, however. The possibilities and ulti- 
mate limitations of quantum public key cryptography re- 
main largely unexplored. 
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APPENDIX 

A. LEMMA FOR PROOF OF TRANSFER- 
ABILITY 

Lemma 1. For any A > 0, there exists a c > such that, 
for large M, the following holds: Given a state |\E'i) of M 
qubits which is a sum of tensor products of\+) and | — } with 
at most r — cM \— ) factors in any term, then measurement 
in the |0), |1) basis will with high probability produce a result 
with weight between M(l/2 - A) and M(l/2 + A). 

That is, if we have a superposition of words of weight at 
most r, the weight measured in the Hadamard-rotated basis 
will be near M/2. 

Proof: This is easy to show. There can be at most about 
N = (") terms in the sum Note that log 2 N ^ 

MH(r/M) = MH(c), where H(x) is the Hamming en- 
tropy H(x) — —x\og 2 x — (1 — x)log(l — x). Thus, the 
probability |(y|>I/i}| 2 to get a particular string y in the |0), 
|1) basis is at most N/2 M w 2 (H(c) - 1)M . Since there are 
about 2( M (i%-A)) strings outside the allowed range, the 
total probability of being outside the allowed range is at 
most about 

2 l+[ff(l/2-A)+if(c)-l]M ^ 

This is small for large M whenever 

H (1/2 - A) + H(c) < 1. (2) 

Since #(1/2 - A) < 1 for any A > 0, and H(c) -> as 
c — > 0, the lemma follows. 
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